Making Your PC Secure Online, Part 1

The Internet is a two-way street. Just as it's easy for you to connect to other sites, it also may be easy for others---for hackers--- to connect to your PC. In fact, by default, many PCs are set up with truly awful online security settings that can leave the door to your system and your hard drive unlocked and wide open!

The more time you spend online, the greater the odds that someone will indeed try to crawl back through your internet connection to get inside your PC. And if a hacker finds a weakness or a security flaw in your setup, he or she can launch a full-blown hack attack that can cause trouble ranging from the merely annoying (slowing down or crashing your computer) to major headaches (potentially reading files, stealing passwords, and worse.)

Many people succumb to one or more of the following myths about online security, and in doing so, leave themselves wide open to major trouble:

Myth #1: "I'm not on a network, so my PC is safe."

The Internet *is* a network, and any Internet-enabled stand-alone PC will have some or all the same networking protocols running that you'd find on a PC in (say) the heart of a huge business setting. But a PC in a huge business setting probably has corporate firewalls and a professional IT staff working to keep it safe. In stark contrast, a PC in a small business, home office, or a laptop used in the field (away from corporate security measures), or a personal-use home system may have a networking setup that's wide-open, totally vulnerable to hackers--- and you might not even know it. The threat is very, very real: With today's "always on" connections such as cable modems and DSL, you can be virtually certain that at least two or three or four (or more!) bonehead miscreant hackers will try to break into your PC every single day!

Myth #2: "I just use Dial-Up connections, so my PC is safe."

Dial-up connections come and go; each time you dial-up, you get a slightly different ("dynamic") numeric Internet protocol (IP) address. This makes it harder for a hacker to find you than if you have a "static IP" or an always-on connection. But hacker tools have evolved to the point where they can scan literally tens of thousands of IP addresses an hour. With so many hackers scanning so many possible addresses, even dial-up connections can and do come under hack attacks.

Myth #3: "I use an anti-virus app, so my PC is safe."

A good anti-virus app will indeed protect you--- against viruses and similar problems. But it'll do nothing to prevent a hacker from lifting information off your system or crashing your PC. It'll do nothing to prevent a malicious (but programmatically legitimate) application from surreptitiously "phoning home" and sending information about you or your system back to some other site or person. Anti-virus tools are just one small (but important) part of online security.

Myth #4: "I use a firewall, so my PC is safe."

Firewalls are great, but if your PC is inherently insecure in and of itself, then totally relying on an add-on program to provide security puts all your figurative eggs in one basket. If the firewall software itself has a flaw or a bug, or if anything goes wrong with it, you're toast. Plus, some firewalls are useless against viruses or similar apps; most do absolutely nothing about malicious apps that quietly send data about you or your system back to an outside source; and some firewalls actually can make things worse because they advertise their presence to hackers, inviting specialized attacks designed to defeat that particular kind of firewall.

But there are solutions. Using tools you already have, and for free, you can vastly improve your online security--- and that's what my WinMag column is about this week: I'll cover the essentials of how to set up your Internet connections so as not to needlessly create security holes. In future columns, we'll talk about other techniques and products (some also completely free!) you can add to further reduce security problems.

With the secure networking foundation I'll show you in the WinMag column, any firewalls or other products you use will only add to an already-safe setup. And, if there turns out to be a problem with your firewall or security software, you won't be left totally exposed to hackers. You won't have all your security "eggs" in one basket!

Because this is a column and not a full-blown feature article, I’ll be moving along fast: Check the References listings to follow up on any steps or concepts that aren’t clear to you.

If geekspeak makes your eyes glaze over, you may wish to skip to the next section. But reading this will only take a minute, and will help you understand the "why” of the information in the next section:

In simplified form, you can envision that your working connections have three levels or "layers." The deepest layer is the one that physically connects you to a network you’re trying to reach -- and it involves hardware. For dial-up, it’s the "Dial-Up Adapter" that lets your PC’s networking plumbing talk to your modem. On a LAN, it’s the "Network Adapter” software that lets your PC talk to your network card. DSL, cable, and similar systems also usually use a network card. A PC can have one or more hardware adapters simultaneously running, side by side: For example, I have a PC connected to a cable modem; it’s also on my office LAN, and is connected to a dial-up modem. That system has two network adapters and a dial-up adapter in its networking setup.

The middle networking layer is made up of the communication protocols or "languages" that your system uses to talk to other networks. The Internet’s lingua franca is "TCP/IP." Other commonly used protocols are NetBEUI and IPX/SPX. These protocols also can operate side-by-side: Any protocol can simultaneously be tied (or "bound") to one or more hardware adapters; likewise a hardware adapter may simultaneously be bound to multiple protocols.

The topmost layer is the networking services -- the logons, the "print and file sharing," the "client" software that sits on top of the rest of the plumbing and lets you do the things you want to do on the network. Unfortunately, they’re a two-way street, so they may also let hackers do what they want to do!

So, the trick to making your PC secure is to ensure that any dangerous settings or services (such as "print and file sharing”) are never needlessly connected to a protocol or adapter that’s accessible from the Internet at large, where hackers might exploit them. In other words, by carefully selecting what gets "bound” to what, you can ensure that inherently unsafe services and protocols are simply not accessible to or from your Internet connection.

The information I’ll present here isn’t dangerous, but it’s always a good idea to make a backup of critical data on your system before you start making any system changes; and to write down what your settings were so you can restore things if you need to. If you’re on a LAN or if you have special networking needs (such as the need to connect remotely to a corporate LAN or VPN from a home office) talk to your network administrator before implementing any changes.

Let’s start by examining your networking setup: Right-click Network Neighborhood and select Properties. (Or click the Network icon in Control Panel, which is the same thing.)

What we’ll now do is remove the parts of your networking setup that make it easy for someone to connect to your PC via the Internet’s protocol: TCP/IP:

If you don’t have a dial-up connection, skip to the next paragraph. Otherwise, double click Dial-Up Adapter, then Bindings. UNcheck anything in the bindings box except TCP/IP; then click OK. Next, in the main network dialog, double-click the item labeled "TCP/IP -> Dial-Up Adapter." (You may have to scroll down in the window to see it. Also, if a Dial Up Adapter is the only adapter in your system, it may simply say "TCP/IP.") You may get a warning from Windows about the danger of changing these settings; ignore the warning -- the real danger is in not changing these settings. After you dismiss the warning dialog box, click on the Bindings tab. In the Bindings box, if "Client for Microsoft networks" and/or "File and printer sharing for Microsoft networks" are present and checked, UNcheck them, and click OK. If they were the only things TCP/IP was bound to, you’ll get a warning that states: "TCP/IP is no longer bound to any drivers" and asks whether you want to select one. Answer "No." You do not want clients or sharing services bound to TCP/IP.

If you have a network card or cards in your system, for each card click on the TCP/IP label. For example, in my system, which uses an inexpensive Realtek brand network interface card (NIC), I’d click on "TCP/IP -> Realtek RT8029(as) PCI Ethernet NIC." Click the bindings tab, and be sure that "Client for Microsoft networks" and "File and printer sharing for Microsoft networks" are UNchecked.

But what if you’re on a LAN and want to share your files or printers locally? The solution is to add another, non-Internet protocol -- IPX/SPX or NetBEUI. Add the appropriate Microsoft Networking Client, click on "File and Print Sharing," and enable print sharing, file sharing, or both. Now go back and examine the bindings for every adapter and every protocol in your system. Make sure that the "Client for Microsoft networks" and "File and printer sharing for Microsoft networks" are present and checked only for IPX/SPX and/or NetBEUI. At the same time, be sure they are not checked for TCP/IP. Then, repeat the same process on all the other PCs on the LAN. In this way your PCs will use only vanilla TCP/IP for communicating over the Internet, and will use a non-Internet protocol for printer and file sharing among themselves. Because Internet hackers must use TCP/IP, they’ll have a much harder time trying to get at your shared files or printers. That makes your PC and your LAN is now much more secure than it was before.

Note that any changes you make to your networking setup may reset your bindings and other settings even in areas you didn’t touch. Any time you (or any software you install) make any changes to your networking setup, step through the process above to make sure that your TCP/IP connections remain clean and unbound to client software or print and file sharing services.

AOL is notorious for this: It adds its own (often unnecessary) adapters to your networking setup, and may improperly alter your bindings. Some users report that after installing AOL, their print and file sharing was bound to TCP/IP -- offering their files and printers to anyone who wanted to try to connect! The trick is to, either avoid AOL altogether, or to check manually each and every networking element to ensure that nothing is bound to your outbound TCP/IP connections after you install AOL.

There’s lots more you can do to improve your networking security, and we’ll cover that in future columns. But the above steps will eliminate the most common and glaring network security problems for Windows PCs, and give you a more secure foundation for all your online activities. Once you’ve learned the process, the whole thing takes only a minute to set up or check, requires absolutely no add-on software, and best of all, it's totally free!